Full Report
Russian state-backed hackers are increasingly targeting Signal messenger accounts — including those used by Ukrainian military personnel and government officials — in an effort to access sensitive information that could aid Moscow’s war effort, researchers warn.
Analysis Summary
# Threat Actor: Russian State-Backed Hackers (General Targeting) & Specific Groups (Sandworm, UNC4221, Turla)
## Attribution & Identity
Threat actors are identified as Russian state-backed hackers, operating in support of Moscow’s war effort in Ukraine. Specific affiliated groups mentioned include the notorious **Sandworm**, **UNC4221**, and **Turla**.
## Activity Summary
These actors are engaged in espionage operations targeting users of secure messaging applications, primarily **Signal**, to access sensitive information relevant to the war in Ukraine. Activities include exploiting Signal’s legitimate "linked devices" feature to hijack user accounts and stealing Signal database files from compromised devices.
## Tactics, Techniques & Procedures
- **Phishing:** Using phishing messages to infect devices with spying malware.
- **Malicious QR Codes:** Crafting and distributing malicious QR codes, disguised as legitimate group invites or security alerts, to link victim Signal accounts to attacker-controlled devices via the "linked devices" feature.
- **Impersonation/Evasion:** Embedding malicious QR codes in phishing pages imitating Ukrainian military websites.
- **Tailored Phishing Kits:** UNC4221 developed a kit mimicking the Kropyva artillery guidance application.
- **Payload Deployment:** UNC4221 deployed a JavaScript payload named **Pinpoint** to gather user information and geolocation data.
- **Database Exfiltration:** Stealing Signal database files from Android and Windows devices.
- **Malware Deployment (Exfiltration):** Sandworm deployed **Wavesign** malware to exfiltrate messages from Signal databases.
- **Scripting for Exfiltration:** Turla utilized a **PowerShell script** to exfiltrate Signal desktop messages.
- **Exploiting Battlefield Captures:** Sandworm assisted in linking Signal accounts from captured battlefield devices.
## Targeting
- Sectors: Military, Government, Politicians, Journalists, Activists.
- Geography: Primarily targeting users within Ukraine.
- Victims: Ukrainian military personnel and government officials.
## Tools & Infrastructure
- **Malware families used:** Wavesign (Sandworm), Pinpoint (JavaScript payload used by UNC4221).
- **Other Tools:** Tailored Signal phishing kit (UNC4221), PowerShell script (Turla).
- **Infrastructure:** Malicious QR codes distributed remotely (details not specified beyond distribution method).
## Implications
There is a clear and growing demand by Russian actors to monitor sensitive communications of individuals crucial to Ukraine's defense and governance. Attacks are expected to continue evolving, growing in scope, and potentially spreading to additional threat actors and regions beyond the immediate conflict zone, focusing on intercepting secure messages and location data.
## Mitigations
- Heightened vigilance against phishing attacks targeting secure messaging setup processes (e.g., QR code linking).
- Awareness of lures disguised as legitimate internal/military communications or security alerts.
- Monitoring and securing compromised battlefield devices against post-capture exploitation.
- Signal updates containing enhanced security features against phishing (as mentioned in the article).